I just setup RouterOS 5.0 RC7 on my x86 box with two NICs. The setup was easy enough; made ether1 a DHCP client for the WAN and ether2 a DHCP server and default gateway for the LAN. I’ve established Winbox connectivity, but I really have no idea where to go to get ether2 (my LAN) connected to ether1 (my WAN Internet connection). I can ping 8.8.8.8 via ether1 in Winbox. I could find nothing in the wiki to point me in the right direction post-setup.
Also, since I will require a level 4 license within the next 24 hours, I’m told I’ll need the software ID and “device type”. I located the software ID without issue, but I’m unable to determine my device type. Thoughts?
You probably need to configure NAT so that your privately addressed LAN network can get to the publicly addressed WAN network. Going on the sparse details you posted that would be along the lines of:
If that doesn’t work, post the output of “/ip address print detail”, “/ip route print detail”, “/interface print”, and “/ip firewall export” for specific help.
You can find your platform information via “/system resource print” - but it’s going to be an x86 system.
My final question implores your personal recommendation. I’d like to know what my next configuration steps are assuming this router will be used as a firewalled home router. Vague, I know, but any direction will be beneficial.
Thanks!
EDIT: Also, I’m finding that IPv6 has already been configured by default, though I did not initiate its configuration. Should addresses in IPv6 > Addresses be purged?
Don’t touch the addresses for IPv6. IPv6 uses something called stateless autoconfiguration where link local addresses are generated on every interface. If you don’t need IPv6 you should rather go to “/system packages” and uninstall the IPv6 package. The IPv6 addresses you see start with fe80, which indicates they cannot be used outside of that link. You can keep them without any security implications. They are completely non-routable, more so than even private IPv4 addresses.
The wiki has very many firewall examples. Here is what I use for simple routers. It only allows LAN to WAN traffic, you’d have to punch holes for any services you want publicly available. The WAN interface is called ‘outside’, and not ‘ether1’, and LAN users cannot pass some traffic - such as NetBIOS - to the WAN. If there is more than one LAN interface the LAN networks are blocked from talking to one another. The address list is used to enumerate all networks that will have access to the router. The IP firewall filter wiki manual has all the details on what the rules mean, but feel free to ask for clarification.
Got it. I’d love it if you could chime in on some tiny details to perfect my new router.
To begin, with regard to port forwarding, I read on the wiki that I just need to add a dstnat rule. Apparently a destination a WAN destination address is expected, but what value should I use if my ISP is uses DHCP addressing? Am I also required to create a firewall in addition to this?
There is one computer in the house that should be denied access to all addresses except one internal address during a certain time period on certain days. Would such a rule be added as a firewall rule or as a queue? How might such a rule be implemented?
When I configure IPv6 per the wiki, will those changes overwrite the default stateless values? In this configuration, it appears I encounter another example where a static WAN address is expected, though my ISP uses DHCP. Thoughts?
I notice that with my DHCP server, clients will be assigned unallocated addresses from the pool beginning with *.254 going backwards to *.100. Is there any way to configure my DHCP server to assign IP addresses starting at the beginning of the pool?
Thanks so much for your help thus far, I really appreciate it.
To begin, with regard to port forwarding, I read on the wiki that I just need to add a dstnat rule. Apparently a destination a WAN destination address is expected, but what value should I use if my ISP is uses DHCP addressing? Am I also required to create a firewall in addition to this?
You can replace the destination IP address with the following combination: “in-interface=ether1 dst-address-type=local” - which means “packets that are coming into ether1 (the WAN interface) and destined to an IP address implemented on a router interface”. That’s close enough, and will work.
There is one computer in the house that should be denied access to all addresses except one internal address during a certain time period on certain days. Would such a rule be added as a firewall rule or as a queue? How might such a rule be implemented?
First of all: the router cannot possibly keep a machine on a local network behind the router from talking to other machines on that same local network. TCP/IP hosts on a local network talk directly, only traffic destined to networks other than the local network will be forwarded to the host’s default gateway (the router). With that caveat explained, that would be a firewall rule. Something along the lines of “/ip firewall filter add chain=forward src-address=192.168.0.1 action=drop”, which would keep 1921.168.0.1 from passing any traffic through the router. It still could talk to that one internal address it needs access to, but would also have access to any other internal address as previously explained.
When I configure IPv6 per the wiki, will those changes overwrite the default stateless values? In this configuration, it appears I encounter another example where a static WAN address is expected, though my ISP uses DHCP. Thoughts?
I would suggest dropping IPv6 for now. Revisit it when you’re familiar with IPv4.
I notice that with my DHCP server, clients will be assigned unallocated addresses from the pool beginning with *.254 going backwards to *.100. Is there any way to configure my DHCP server to assign IP addresses starting at the beginning of the pool?
No, you cannot change the order of assignment. Well. There is a really, really ugly hack where you chain 155 pools with one address each, but you shouldn’t use really, really ugly hacks.
Thanks very much for your help. I’m very satisfied with my configuration. I look forward to implementing some unique and powerful enhancements to my new MikroTik router.